It’s a brand new day with a brand new privacy issue for popular video calling app Zoom. Last night, The Intercept published a report highlighting that Zoom‘s claim of having end-to-end encryption for its meetings is not true.
The video conferencing company boasts about end-to-end encryption on its website, and in a separate security-related white paper. However, The Intercept’s report found that the service uses transport encryption instead.
Transport encryption is a Transport Layer Security (TLS) protocol, that secures the connection between you and the server you’re connected to. That’s the same encryption used in a secure connection between you and any website with HTTPS protocol. The key difference between transport encryption and end-to-end encryption is that Zoom (or the server you’re connected to) will be able to see your data.
In a comment provided to The Intercept, Zoom confirmed that the service doesn’t provide end-to-end encryption at the moment:
Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.
The company clarified that “end-to-end” mention in the literature refers to Zoom endpoints aka Zoom server, which sits between clients. So, it can technically look at your data. While the firm denies that it can access or sells user data to third-parties, it would’ve been better to clearly state the encryption standards it uses.
This isn’t the first time Zoom’s shady policies have come to light. A report by Bleeping Computer published today notes that it’s possible for hackers to steal passwords through Zoom’s Windows client.
Last week, the service’s iOS app was found to be sending data to Facebook without explicit user consent. The company removed the code that was sending data to the social network later. Last month, the digital rights non-profit Electronic Frontier Foundation (EFF) noted that using Zoom’s products can have some serious implications on your privacy.
Yesterday, Privacy-focused browser Tor suggested that you should ditch Zoom and use an open-source solution called Jitsi Meet.
If you want an alternative to Zoom: try Jitsi Meet. It's encrypted, open source, and you don't need an account. https://t.co/ydA10G0hfZ
— The Tor Project (@torproject) March 31, 2020
However, if you absolutely have use Zoom, you can use web links for browsers through a handy Chrome extension developed by Arkadiy Tetelman.
To that end, the ball is in the video conferencing app’s court to repair its reputation, and implement strong and transparent privacy practices. Otherwise, people will soon turn to freely available and more secure alternatives.